Companies experimenting with artificial intelligence technologies may find it challenging over the next few years, as they expand their operations in Europe. That’s because by May 2018, tough new European Union rules related to the General Data Protection Regulation (GDPR) will come into effect and could pose problems for companies that rely on gathering and processing user data for their businesses.

At a panel on data privacy at the annual RSA cybersecurity conference in San Francisco, Cisco (CSCO) chief privacy officer Michelle Dennedy explained that companies—from sports brands to pharmaceutical corporations—are gathering more data than ever from the influx of Internet-connected devices now wired into their IT infrastructure. And the problem is that the upcoming regulation is especially tough on what’s known as profiling, which is essentially the ability for companies to use automation to determine certain characteristics of their individual users.

For instance, when a company uses data analytics and related automation technologies to predict whether someone is likely to be a good worker or be more prone to a specific illness, that business is engaging in profiling.

Because the EU regulation leans heavily on protecting the personal data of an individual, companies operating in the European Union have to be extremely careful with how they handle and process their customer data. If the EU determines that a company’s use of data analytic and automation technologies ends up discriminating against certain groups of people, or if a business is unable to fix potential problems with their technologies, they face stiff fines that can cost them up to 4% of their overall revenue.

Companies are no longer just stockpiling their data into large repositories called “data lakes,” Dennedy said. They are now using various AI technologies like machine learning to build powerful software services that can automatically make decisions on their own, based on the data they processed.

If these types of AI-powered software start taking on tasks like determining whether a particular person should receive or not receive a certain benefit or something like financial advice, companies are at higher risk of violating the EU regulation, she explained.

Companies need to carefully determine how to use their various types of data for different purposes that don’t potentially put them at risk of a violation. In some cases, that may mean a company should leave out certain demographic data when debuting a specific service overseas, she said.

It’s Time to Hire a Chief AI Officer

Microsoft (MSFT) assistant general counsel Geff Brown agreed with Dennedy and called for the technology community to “explain very well” complex and misunderstood AI technologies to policy makers that may be ill-informed. Companies must convince EU lawmakers that AI technologies can be used “in the service of humanity,” Brown said. If they don’t, there are provisions “in the new European data law that will be used to crack down on some kinds of artificial intelligence,” he said.

Of course, it’s not easy for U.S. companies to appease tough EU data privacy laws.

Google (GOOG), for example, lost a 2014 ruling over a so-called “right to be forgotten” provision. As a result of the court case, Google had to delete the links to millions of articles on the web on behalf of many EU citizens that wanted the search engine to remove results they feel were inadequate or irrelevant information.

“We have the odd, unintended benefit of being named the defendant,” said Google director of global privacy Keith Enright of the right-to-be-forgotten case. Although Google disagreed with the court’s decision, the company “had no choice but to comply,” Enright said.

Still, Enright seemed hopeful that while there are some “ambiguities” with the way he feels the upcoming EU data rule is written, Google and regulators are in constant discussions, which is helpful to both parties. He said that Google is “seeing some things that are making us optimistic” with how EU policy makers understand how Google builds and uses technology, but he didn’t elaborate.

“The best thing we can do is to have a best faith effort,” said Enright.